Horizon dashboard and Ldap user listing results to 504 Gateway Time Out

Solution Verified - Updated -

Environment

Red Hat OpenStack Platform 13.0

Issue

  • When integrating LDAP with openstack keystone times while fetching user list from LDAP server.
  • It results in 504 Gateway Time-Out

Resolution

  • If using a LDAP back-end for authentication, add the following clause in /etc/openldap/ldap.conf on all controller nodes.

    NETWORK_TIMEOUT 2
    
  • Then we need to modify haproxy.cfg file on all controllers (file path: /var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg)

    defaults
    log  global
    maxconn  8192      <=====
    ...
    timeout  connect 10s
    timeout  client 5m   <=====
    timeout  server 5m   <=====
    ...
    
  • Early configuration should be as below

    defaults
    log  global
    maxconn  4096
    mode  tcp
    retries  3
    timeout  http-request 10s
    timeout  queue 2m
    timeout  connect 10s
    timeout  client 2m
    timeout  server 2m
    timeout  check 10s
    
  • After modification it will look like below

    defaults
    log  global
    maxconn  8192
    mode  tcp
    retries  3
    timeout  http-request 10s
    timeout  queue 2m
    timeout  connect 10s
    timeout  client 5m
    timeout  server 5m
    timeout  check 10s
    
  • Finally, restart keystone and haproxy:

    docker restart keystone  <<<<<< all controller node
    pcs resource restart haproxy-bundle
    
  • This can also be done via THT parameters to keep this changes permenant

    (overcloud) [stack@undercloud-0 ~]$ cat virt/haproxy_cfg.yaml 
    parameter_defaults:
    ControllerExtraConfig:
        tripleo::haproxy::haproxy_defaults_override:
        timeout:
            - 'http-request 10s'
            - 'queue 2m'
            - 'connect 10s'
            - 'client 5m'                                 
            - 'server 5m'                                 
            - 'check 10s'
        maxconn: 8192                                      
    

Root Cause

  • Keystone times out before the details are fetched from LDAP server

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments